Sign up for our weekly security newsletter

Internet Worm War Further Ignited by 'Storm Trojan'

Last seen in January, the Trojan horse called "Storm Trojan" is back again. And, this time it's spreading over the instant messaging & is engaged in making attacks on its rival malware, divulged the researchers on 12 February 2007.

Researchers from Symantec said, the Trojan horse also called "Peacomm" is using AOL AIM (Instant Messager), Yahoo Messenger, Google Talk for spreading itself.

The latest infection was pegged as insidious in an alert received by some customers of Symantec. As the message, for example the inscrutable "LOL;"), and included URL could be updated dynamically by the scammer. Worse still, as per Alfred Huger - Symantec security response team's senior director, a message & a URL is injected by this Trojan only in to the already open windows. It is not just a random message that'll pop-up. It rather appears just to the people already connected (you're talking to via any of the above mentioned messengers). That's what makes this approach highly effective.

The most recent assault by Peacomm came after the campaign in January this year, when the Storm Trojan's mutant was found to be responsible for about half of the total malware occurring. As the attached document is opened, similar email messages are automatically sent to all the addresses on the infected machine. And, the code that's intended to include the PC to the botnet for sending spams is also downloaded.

The analysis of Symantec reveals that the new versions of this malware comprise a rootkit that can hide several files & registry keys. However, it cannot hide the ports being used by it and also has other bugs, which may result in crashes.

However, the Trojan horse was traced by one researcher further back. Joe Stewart - senior security researcher with SecureWorks - said after analyzing that the Peacomm worm is in fact a spin off of the "Nuwar" worm found in previous year (2006). It is almost identical code, divulged Stewart in a statement that was published by the news magazine PCWORLD on 12 February 2007.

Both Huger and Stewart also confirmed that the Storm Trojan was behind various recently distributed DoS (Denial-of-Service) attacks against anti spam websites and servers supporting the rival malware.

However, both researchers disagree as it comes to pegging a label on Peacomm. This scammer has been pulling from standard playbook, by adapting best techniques & using off the shelf protocols. Continued Stewart, as he goes on to characterize the malware maker being persistent, and not sophisticated technically. It is an extremely fundamental stuff, but still works.

But Huger has a different viewpoint. Whether the scammer is technically that sophisticated or not, but the point lies in moot. His assaults are both well thought after and staged.